Privilege Escalation via GDB CAP_SYS_PTRACE
Identifies instances where GDB (granted the CAP_SYS_PTRACE capability) is executed, after which the user's access is elevated to UID/GID 0 (root). In Linux, the CAP_SYS_PTRACE capability grants a process the ability to use the ptrace system call, which is typically used for debugging and allows the process to trace and control other processes. Attackers may leverage this capability to hook and inject into a process that is running with root permissions in order to escalate their privileges to root.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/01/09"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies instances where GDB (granted the CAP_SYS_PTRACE capability) is executed, after which the user's access is
11elevated to UID/GID 0 (root). In Linux, the CAP_SYS_PTRACE capability grants a process the ability to use the ptrace
12system call, which is typically used for debugging and allows the process to trace and control other processes.
13Attackers may leverage this capability to hook and inject into a process that is running with root permissions in order
14to escalate their privileges to root.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Privilege Escalation via GDB CAP_SYS_PTRACE"
21risk_score = 47
22rule_id = "c296f888-eac6-4543-8da5-b6abb0d3304f"
23setup = """## Setup
24
25
26This rule requires data coming in from Elastic Defend.
27
28### Elastic Defend Integration Setup
29Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
30
31#### Prerequisite Requirements:
32- Fleet is required for Elastic Defend.
33- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
34
35#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
36- Go to the Kibana home page and click "Add integrations".
37- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
38- Click "Add Elastic Defend".
39- Configure the integration name and optionally add a description.
40- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
41- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
42- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
43- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
44For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
45- Click "Save and Continue".
46- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
47For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
48"""
49severity = "medium"
50tags = [
51 "Domain: Endpoint",
52 "OS: Linux",
53 "Use Case: Threat Detection",
54 "Tactic: Privilege Escalation",
55 "Data Source: Elastic Defend",
56 "Resources: Investigation Guide",
57]
58type = "eql"
59
60query = '''
61sequence by host.id, process.entry_leader.entity_id with maxspan=1m
62 [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "gdb" and
63 (process.thread.capabilities.effective : "CAP_SYS_PTRACE" or process.thread.capabilities.permitted : "CAP_SYS_PTRACE") and
64 user.id != "0"]
65 [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
66 process.name != null and user.id == "0"]
67'''
68note = """## Triage and analysis
69
70> **Disclaimer**:
71> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
72
73### Investigating Privilege Escalation via GDB CAP_SYS_PTRACE
74
75The CAP_SYS_PTRACE capability in Linux allows processes to trace and control other processes, a feature primarily used for debugging. Adversaries can exploit this by using GDB with this capability to inject code into processes running as root, thereby escalating privileges. The detection rule identifies such abuse by monitoring sequences where GDB is executed with CAP_SYS_PTRACE, followed by a process running as root, indicating potential privilege escalation.
76
77### Possible investigation steps
78
79- Review the alert details to identify the specific host and process entity ID where the GDB execution with CAP_SYS_PTRACE was detected.
80- Examine the process tree on the affected host to determine the parent process of GDB and any child processes it may have spawned, focusing on any processes running as root.
81- Check the user account associated with the GDB execution to verify if it is a legitimate user and assess if there are any indications of compromise or misuse.
82- Investigate the timeline of events around the alert to identify any preceding or subsequent suspicious activities, such as unauthorized access attempts or changes in user privileges.
83- Analyze system logs and audit records for any signs of unauthorized access or privilege escalation attempts, particularly focusing on the time window specified by the maxspan of 1 minute in the query.
84- Correlate the findings with other security alerts or incidents on the same host to determine if this event is part of a larger attack campaign.
85
86### False positive analysis
87
88- Development environments where GDB is frequently used for legitimate debugging purposes may trigger false positives. To mitigate this, consider excluding specific user accounts or processes that are known to use GDB regularly for debugging.
89- Automated testing systems that utilize GDB for testing applications with elevated privileges might be flagged. Implement exceptions for these systems by identifying and excluding their specific process names or user IDs.
90- Security tools or monitoring solutions that use GDB with CAP_SYS_PTRACE for legitimate monitoring or analysis tasks can cause false alerts. Review and whitelist these tools by their process names or associated user accounts.
91- System administrators or developers who have legitimate reasons to use GDB with elevated capabilities should be identified, and their activities should be excluded from the rule to prevent unnecessary alerts.
92- Scheduled maintenance scripts that involve GDB for system diagnostics or performance tuning may be misinterpreted as malicious. Exclude these scripts by their execution schedule or specific identifiers.
93
94### Response and remediation
95
96- Immediately isolate the affected host from the network to prevent further unauthorized access or lateral movement.
97- Terminate any suspicious processes identified as running with elevated privileges, especially those involving GDB with CAP_SYS_PTRACE.
98- Revoke CAP_SYS_PTRACE capability from non-essential users and processes to limit potential abuse.
99- Conduct a thorough review of user accounts and permissions on the affected system to ensure no unauthorized privilege escalations have occurred.
100- Restore the affected system from a known good backup if any unauthorized changes or code injections are detected.
101- Monitor the affected and related systems for any signs of persistence mechanisms or further malicious activity.
102- Report the incident to the appropriate internal security team or authority for further investigation and potential escalation if necessary."""
103
104
105[[rule.threat]]
106framework = "MITRE ATT&CK"
107[[rule.threat.technique]]
108id = "T1055"
109name = "Process Injection"
110reference = "https://attack.mitre.org/techniques/T1055/"
111[[rule.threat.technique.subtechnique]]
112id = "T1055.008"
113name = "Ptrace System Calls"
114reference = "https://attack.mitre.org/techniques/T1055/008/"
115
116
117[[rule.threat.technique]]
118id = "T1068"
119name = "Exploitation for Privilege Escalation"
120reference = "https://attack.mitre.org/techniques/T1068/"
121
122
123[rule.threat.tactic]
124id = "TA0004"
125name = "Privilege Escalation"
126reference = "https://attack.mitre.org/tactics/TA0004/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Privilege Escalation via GDB CAP_SYS_PTRACE
The CAP_SYS_PTRACE capability in Linux allows processes to trace and control other processes, a feature primarily used for debugging. Adversaries can exploit this by using GDB with this capability to inject code into processes running as root, thereby escalating privileges. The detection rule identifies such abuse by monitoring sequences where GDB is executed with CAP_SYS_PTRACE, followed by a process running as root, indicating potential privilege escalation.
Possible investigation steps
- Review the alert details to identify the specific host and process entity ID where the GDB execution with CAP_SYS_PTRACE was detected.
- Examine the process tree on the affected host to determine the parent process of GDB and any child processes it may have spawned, focusing on any processes running as root.
- Check the user account associated with the GDB execution to verify if it is a legitimate user and assess if there are any indications of compromise or misuse.
- Investigate the timeline of events around the alert to identify any preceding or subsequent suspicious activities, such as unauthorized access attempts or changes in user privileges.
- Analyze system logs and audit records for any signs of unauthorized access or privilege escalation attempts, particularly focusing on the time window specified by the maxspan of 1 minute in the query.
- Correlate the findings with other security alerts or incidents on the same host to determine if this event is part of a larger attack campaign.
False positive analysis
- Development environments where GDB is frequently used for legitimate debugging purposes may trigger false positives. To mitigate this, consider excluding specific user accounts or processes that are known to use GDB regularly for debugging.
- Automated testing systems that utilize GDB for testing applications with elevated privileges might be flagged. Implement exceptions for these systems by identifying and excluding their specific process names or user IDs.
- Security tools or monitoring solutions that use GDB with CAP_SYS_PTRACE for legitimate monitoring or analysis tasks can cause false alerts. Review and whitelist these tools by their process names or associated user accounts.
- System administrators or developers who have legitimate reasons to use GDB with elevated capabilities should be identified, and their activities should be excluded from the rule to prevent unnecessary alerts.
- Scheduled maintenance scripts that involve GDB for system diagnostics or performance tuning may be misinterpreted as malicious. Exclude these scripts by their execution schedule or specific identifiers.
Response and remediation
- Immediately isolate the affected host from the network to prevent further unauthorized access or lateral movement.
- Terminate any suspicious processes identified as running with elevated privileges, especially those involving GDB with CAP_SYS_PTRACE.
- Revoke CAP_SYS_PTRACE capability from non-essential users and processes to limit potential abuse.
- Conduct a thorough review of user accounts and permissions on the affected system to ensure no unauthorized privilege escalations have occurred.
- Restore the affected system from a known good backup if any unauthorized changes or code injections are detected.
- Monitor the affected and related systems for any signs of persistence mechanisms or further malicious activity.
- Report the incident to the appropriate internal security team or authority for further investigation and potential escalation if necessary.
Related rules
- At Job Created or Modified
- Cron Job Created or Modified
- Docker Escape via Nsenter
- Kernel Load or Unload via Kexec Detected
- Modification of Dynamic Linker Preload Shared Object